Reg H2E without password identifier

Jouni Malinen j at
Thu Mar 11 17:33:46 GMT 2021

On Wed, Mar 10, 2021 at 11:34:19PM +0000, RAGHAVENDRA SADARAMACHANDRA (rsadaram) wrote:
>    I am running latest hostapd in H2E only mode using following hostapd.conf.
>   ….
>   sae_pwe=1
>   sae_groups=19
>   sae_password=example secret
>    Latest Wpa_supplicant is not connecting to H2E only mode AP, if I use wpa_supplicant.conf with only “sae_password=example secret”

Are you leaving the sae_pwe to its default value, i.e., H2E disabled, in
wpa_supplicant configutation?

>   Wpa_supplicant throws:
>   1615416250.587683: wlp5s0: Selecting BSS from priority group 0
>   1615416250.587690: wlp5s0: 0: f8:a2:d6:bc:d0:51 ssid='raghu-test-h2e' wpa_ie_len=0 rsn_ie_len=20 caps=0x411 level=-39 freq=2437
>   1615416250.587700: wlp5s0:    selected based on RSN IE
>   1615416250.587704: wlp5s0:    SAE H2E disabled
> 1615416250.587708: wlp5s0:    skip - rate sets do not match 

This indicates that wpa_supplicant has SAE H2E disabled and cannot join
the network that mandates use of H2E.

>  If I use password identifier then it works. Following config works.
> Hostapd.conf:
> sae_password=example secret|id=pw identifier
> wpa_supplicant.conf:
> sae_password="example secret"
> sae_password_id="pw identifier"

Specifying SAE Password Identifier will automatically enable H2E since
the standard allows password identifier to be used only with H2E.

> Is there a way to test wpa_supplicant and hostapd without using pwd identifier?

Yes, you'll just need to enable SAE H2E in wpa_supplicant configuration
(sae_pwe=1 or sae_pwe=2).

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list